码迷,mamicode.com
首页 > 其他好文 > 详细

IAT HOOK 简单实现

时间:2020-07-26 15:39:28      阅读:75      评论:0      收藏:0      [点我收藏+]

标签:dll   address   物理   message   简单   esc   ddr   lse   new   

注意的事项:

1、操作部分在IAT表中

2、HOOK函数中需要用函数指针接收,因为此时IAT已经被HOOK,如果直接return 原函数,其实会造成栈溢出,因为此时的原函数已经被HOOK了,会造成类似的递归操作

3、最后HOOK完,需要进行 卸载HOOK 操作

4、如果debug的时候发现IAT表中是能写进去的,但是发现写入异常,则可能跟物理页的属性有关,需要进行VirtualProtect设置

#include<Windows.h>
#include<cstdio>


DWORD dwMessagebox = (DWORD)GetProcAddress(LoadLibrary("user32.dll"), "MessageBoxA");

int WINAPI MyMessageBox(_In_opt_ HWND hWnd, _In_opt_ LPCSTR lpText, _In_opt_ LPCSTR lpCaption, _In_ UINT uType){
	typedef int(WINAPI *PMyMessageBox)(_In_opt_ HWND hWnd, _In_opt_ LPCSTR lpText, _In_opt_ LPCSTR lpCaption, _In_ UINT uType);

	printf("Hook Messagebox Param: hWnd: %x, lpText: %s, lpCation: %s, uType: %x", hWnd, lpText, lpCaption, uType);

	PMyMessageBox MyMessageBox = (PMyMessageBox)dwMessagebox;
	return MyMessageBox(0, TEXT("It‘s My Hook Messagebox!"), 0, 0);
}


void InstallIatHook(DWORD dwOldFunction, DWORD dwNewFunction)
{

	HMODULE hModule = GetModuleHandle(NULL);

	// load pe
	PIMAGE_DOS_HEADER pDosHeader = NULL;
	PIMAGE_NT_HEADERS pNTHeader = NULL;
	PIMAGE_FILE_HEADER pPEHeader = NULL;
	PIMAGE_OPTIONAL_HEADER32 pOptionHeader = NULL;
	PIMAGE_SECTION_HEADER pSectionHeader = NULL;
	PIMAGE_IMPORT_DESCRIPTOR pIMPORT_DESCRIPTOR = NULL;
	PIMAGE_IMPORT_BY_NAME pImage_IMPORT_BY_NAME = NULL;

	PDWORD OriginalFirstThunk = NULL;
	PDWORD FirstThunk = NULL;
	PIMAGE_THUNK_DATA pImageThunkData = NULL;

	DWORD Original = 0;

	pDosHeader = (PIMAGE_DOS_HEADER)hModule;
	pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)hModule + pDosHeader->e_lfanew);
	pPEHeader = (PIMAGE_FILE_HEADER)(((DWORD)pNTHeader) + 4);
	pOptionHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pPEHeader + IMAGE_SIZEOF_FILE_HEADER);
	pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + sizeof(IMAGE_OPTIONAL_HEADER32));
	
	pIMPORT_DESCRIPTOR = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)hModule + pOptionHeader->DataDirectory[1].VirtualAddress);

	DWORD dwOldProtect; // 内存页属性
	BOOL bFlag = TRUE;
	//这里可以进行while操作,这里while的判断依据为pIMPORT_DESCRIPTOR个数
	while (pIMPORT_DESCRIPTOR->FirstThunk && bFlag) {
		FirstThunk = (PDWORD)((DWORD)hModule + (DWORD)pIMPORT_DESCRIPTOR->FirstThunk);
		while (*FirstThunk) {
			if (*FirstThunk == dwOldFunction)
			{
				VirtualProtect((LPVOID)FirstThunk, 0x4, PAGE_READWRITE, &dwOldProtect);
				*FirstThunk = dwNewFunction;
				bFlag = FALSE;
				break;
			}
		
			FirstThunk++;
		}

		// 进行遍历操作
		pIMPORT_DESCRIPTOR++;
	}

}

void UninstallIatHook(DWORD dwOldFunction, DWORD dwNewFunction)
{
	HMODULE hModule = GetModuleHandle(NULL);

	// load pe
	PIMAGE_DOS_HEADER pDosHeader = NULL;
	PIMAGE_NT_HEADERS pNTHeader = NULL;
	PIMAGE_FILE_HEADER pPEHeader = NULL;
	PIMAGE_OPTIONAL_HEADER32 pOptionHeader = NULL;
	PIMAGE_SECTION_HEADER pSectionHeader = NULL;
	PIMAGE_IMPORT_DESCRIPTOR pIMPORT_DESCRIPTOR = NULL;
	PIMAGE_IMPORT_BY_NAME pImage_IMPORT_BY_NAME = NULL;

	PDWORD OriginalFirstThunk = NULL;
	PDWORD FirstThunk = NULL;
	PIMAGE_THUNK_DATA pImageThunkData = NULL;

	DWORD Original = 0;

	pDosHeader = (PIMAGE_DOS_HEADER)hModule;
	pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)hModule + pDosHeader->e_lfanew);
	pPEHeader = (PIMAGE_FILE_HEADER)(((DWORD)pNTHeader) + 4);
	pOptionHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)pPEHeader + IMAGE_SIZEOF_FILE_HEADER);
	pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + sizeof(IMAGE_OPTIONAL_HEADER32));

	pIMPORT_DESCRIPTOR = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)hModule + pOptionHeader->DataDirectory[1].VirtualAddress);

	BOOL bFlag = TRUE;
	//这里可以进行while操作,这里while的判断依据为pIMPORT_DESCRIPTOR个数
	while (pIMPORT_DESCRIPTOR->FirstThunk && bFlag) {
		FirstThunk = (PDWORD)((DWORD)hModule + (DWORD)pIMPORT_DESCRIPTOR->FirstThunk);
		while (*FirstThunk) {
			if (*FirstThunk == dwOldFunction)
			{
				*FirstThunk = dwNewFunction;
				bFlag = FALSE;
				break;
			}

			FirstThunk++;
		}

		// 进行遍历操作
		pIMPORT_DESCRIPTOR++;
	}
}

int main(int argc, char* argv[]){
	InstallIatHook(dwMessagebox, (DWORD)MyMessageBox);
	MessageBox(0, 0, 0, 0);
	UninstallIatHook((DWORD)MyMessageBox, dwMessagebox);
	MessageBox(0, 0, 0, 0);

	return 0;
}

技术图片

IAT HOOK 简单实现

标签:dll   address   物理   message   简单   esc   ddr   lse   new   

原文地址:https://www.cnblogs.com/zpchcbd/p/13379896.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!